coughing up water on FP and notifications

[Crusty Saint <saintcrusty () gmail com>]

Hi,

Now i'm running this trial-snort-sensor against a medium volume network (
about 100Mbit) i notice what must be false positives regularly.

Though it is reported none are known on the sid page(s).  I'm quite
confident this is mostly and most likely a PEBKAC-situation.

For dcerpc i've tuned a bit and now it makes more sense. However, as this
network is likely to have suffered a trojan infection i'm anxious to filter
out any configuration related mistakes responsible for false positives /
false negatives. Reading the manual does help so far but as i said i'm
anxious.

For http://www.snort.org/search/sid/3-15114 is see repeated alerts but this
confuses me. From what i've read this should mean there is an actual exploit
being executed. From what i think to understand this means there is a
vulnerable service accessible OR there is actually code being run against a
vulnerable service. Based on the specific rule i'm assuming this is most
likely and indeed bad news.

I'm short on time so any pointer to a good read would be most welcome.


Best Regards,

SC.

-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users